Add configurable base URL for OSS Index API#5736
Merged
nscuro merged 6 commits intoDependencyTrack:masterfrom Jan 27, 2026
Merged
Add configurable base URL for OSS Index API#5736nscuro merged 6 commits intoDependencyTrack:masterfrom
nscuro merged 6 commits intoDependencyTrack:masterfrom
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
brianf
force-pushed
the
feature/configurable-ossindex-url
branch
2 times, most recently
from
462e1b3 to
3e73e48
Compare
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
nscuro
requested changes
Jan 22, 2026
Member
nscuro
left a comment
nscuro
left a comment
There was a problem hiding this comment.
Thanks! Few small corrections otherwise looks good.
src/test/java/org/dependencytrack/tasks/scanners/OssIndexAnalysisTaskTest.java
Outdated
Show resolved
Hide resolved
nscuro
added
enhancement
brianf
added a commit
to brianf/dependency-track
that referenced
this pull request
Jan 26, 2026
- Remove OSS Index base URL from application.properties (runtime-only) - Remove incorrect configuration.md documentation - Update ossindex.md to follow Snyk/Trivy pattern for runtime properties - Remove ineffective test with no assertions Addresses maintainer feedback on PR DependencyTrack#5736. The scanner.ossindex.base.url property is runtime-only and cannot be configured via application.properties. Updated documentation to clarify it must be set via environment variables, system properties, or the admin UI. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
brianf
added a commit
to brianf/frontend
that referenced
this pull request
Jan 26, 2026
Adds configurable Base URL field to the OSS Index analyzer admin UI, allowing users to point to alternative OSS Index API endpoints (e.g., https://api.guide.sonatype.com). Implementation follows the established pattern from Snyk and Trivy analyzers for consistency: - Uses b-validated-input-group-form-input component - Implements required field validation with lazy evaluation - Integrates with configPropertyMixin for API communication - Property: scanner.ossindex.base.url (default: https://ossindex.sonatype.org) The Base URL field appears between Alias Sync and Username fields, maintaining logical grouping of configuration options. Related backend PR: DependencyTrack/dependency-track#5736 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
brianf
added a commit
to brianf/frontend
that referenced
this pull request
Jan 26, 2026
Adds configurable Base URL field to the OSS Index analyzer admin UI, allowing users to point to alternative OSS Index API endpoints (e.g., https://api.guide.sonatype.com). Implementation follows the established pattern from Snyk and Trivy analyzers for consistency: - Uses b-validated-input-group-form-input component - Implements required field validation with lazy evaluation - Integrates with configPropertyMixin for API communication - Property: scanner.ossindex.base.url (default: https://ossindex.sonatype.org) The Base URL field appears between Alias Sync and Username fields, maintaining logical grouping of configuration options. Related backend PR: DependencyTrack/dependency-track#5736 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Brian Fox <brianf@sonatype.com>
brianf
added a commit
to brianf/frontend
that referenced
this pull request
Jan 26, 2026
Adds configurable Base URL field to the OSS Index analyzer admin UI, allowing users to point to alternative OSS Index API endpoints (e.g., https://api.guide.sonatype.com). Implementation follows the established pattern from Snyk and Trivy analyzers for consistency: - Uses b-validated-input-group-form-input component - Implements required field validation with lazy evaluation - Integrates with configPropertyMixin for API communication - Property: scanner.ossindex.base.url (default: https://ossindex.sonatype.org) The Base URL field appears between Alias Sync and Username fields, maintaining logical grouping of configuration options. Related backend PR: DependencyTrack/dependency-track#5736 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Brian Fox <brianf@sonatype.com>
This change adds the ability to override the OSS Index API base URL, allowing users to point to alternative OSS Index instances, corporate proxies, or on-premises deployments. Changes: - Added SCANNER_OSSINDEX_BASE_URL configuration property with default value https://ossindex.sonatype.org - Implemented lazy-loading getApiBaseUrl() method that reads from configuration and caches the result - Updated all OSS Index API calls to use the configurable URL - Added configuration examples to application.properties - Updated documentation in configuration.md and ossindex.md - Added test cases for custom URL configuration The implementation follows the existing pattern used by Snyk and Trivy analyzers, ensuring consistency across the codebase. The change is fully backward compatible - existing installations will continue using the public OSS Index service unless explicitly configured otherwise. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Brian Fox <brianf@sonatype.com>
The default constructor was initializing apiBaseUrl with DEFAULT_API_BASE_URL, preventing getApiBaseUrl() from reading the custom URL configuration. Changed to pass null, enabling lazy-loading from config property. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Brian Fox <brianf@sonatype.com>
Document Sonatype's migration to the new API endpoint at https://api.guide.sonatype.com which requires new API tokens. Updated examples in application.properties and documentation to reference the new endpoint. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Brian Fox <brianf@sonatype.com>
Fix incorrect documentation stating that new API tokens are required for the new api.guide.sonatype.com endpoint. Existing tokens from ossindex.sonatype.org work with both endpoints. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Brian Fox <brianf@sonatype.com>
Addresses PR feedback on DependencyTrack#5736: - Remove OSS Index base URL from application.properties (runtime-only) - Remove incorrect configuration.md documentation - Update ossindex.md to follow Snyk/Trivy pattern for runtime properties - Remove ineffective test with no assertions The scanner.ossindex.base.url property is runtime-only and cannot be configured via application.properties. Updated documentation to clarify it must be set via environment variables, system properties, or the admin UI. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Brian Fox <brianf@sonatype.com>
Removes unused static import that was left after deleting the testGetApiBaseUrlWithDefaultValue() test method. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Brian Fox <brianf@sonatype.com>
brianf
force-pushed
the
feature/configurable-ossindex-url
branch
from
1d4db66 to
5da1a61
Compare
This was referenced Jan 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for configuring the OSS Index API base URL via the
scanner.ossindex.base.urlproperty. This enables users to:https://api.guide.sonatype.comMotivation
Sonatype is migrating OSS Index to a new API endpoint at
https://api.guide.sonatype.comwhich requires new API tokens. Users need the ability to configure this endpoint before the legacy endpoint is deprecated.Resolves #5737
Changes
Core Implementation
SCANNER_OSSINDEX_BASE_URLconfiguration property toConfigPropertyConstants.javaOssIndexAnalysisTask.javato support lazy-loading of custom base URL from configurationhttps://ossindex.sonatype.orgwhen not configuredTesting
testAnalyzeUsesCustomBaseUrl()test to verify custom URL configuration workstestGetApiBaseUrlWithDefaultValue()test for default behaviorDocumentation
application.propertieswith example configuration and migration noticedocs/_docs/datasources/ossindex.mdwith detailed configuration instructionsdocs/_docs/getting-started/configuration.mdwith new endpoint informationImplementation Details
The implementation uses lazy-loading with caching:
nullto allow configuration loadinggetApiBaseUrl()checks configuration on first call and caches the resultTesting
mvn -P enhance -Dtest=OssIndexAnalysisTaskTest testAll 9 tests pass, including the new custom URL test.
Backward Compatibility
✅ No breaking changes - default value matches current hardcoded URL
✅ Existing installations continue using public OSS Index without changes
✅ Constructor pattern preserved for testing
Commit Message Compliance
All commits follow the project's contribution guidelines:
🤖 Generated with Claude Code